This research article throws light on the internal password storage and encryption mechanism used for storing the WiFi account passwords. It explains where the WiFi passwords are stored on different platforms and how to decrypt them using the practical code sample.

Note that it deals with WiFi settings stored by built-in Windows Wireless Configuration manager only. Also it covers only Vista and higher operating systems, though it may touch upon some aspects of Windows XP.

You can click on 'ADD' and then click on 'Manually Create Network Profile' to create new WiFi connections.

Below is the screenshot showing the 'Add Wireless Network' dialog

WiFi Password Location

Before we proceed, we need to know where these wireless settings are stored on the system. Depending on the platform, 'Wireless Configuration Manager' uses different techniques and different storage locations to store these wireless settings.

For Windows XP/2003

On XP, all the Wireless settings are stored in Registry at following location,.

Here each wireless device/interface is represented by unique GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the settings for this device are stored under this GUID within the value 'ActiveSettings'. Actual contents are encrypted using 'Windows Cryptography' functions [Reference 1].

Each Wireless profile mainly stores information about WiFi name, security settings such as authentication, encryption and the encrypted password.

In the above example, WiFi Network name aka SSID is 'SecurityXploded' which is stored in both ASCII and HEX format. Next important things are authentication & encryption which are stored within <authEncryption> node. This wireless configuration uses WPA (WPAPSK) for authentication and AES for encryption.

Now comes the most interesting thing, 'WiFi Password' which is stored under under <sharedKey> node. Here <protected> field indicates if the password is encrypted or stored in clear text. If the <protected> field is true that means password is encrypted and same can be found in <keyMaterial> node as in above example.

WiFi Password Encryption & Decryption

If you are one of us who live in Crypto world then it does not take much time to decipher the encryption method used here.

Clearly it uses 'Windows Cryptography' functions [Reference 1] to encrypt & decrypt the WiFi passwords. Here is the signature which is at the beginning of encrypted password.

01000000D08C9DDF0115D1118C7A00C0

To be more precise, 'Wireless Configuration Manager' uses CryptProtectData to encrypt the Wireless keys & passwords. Another notable thing is that it does not use any salt or magic key for encryption. This makes decryption simple and straightforward using CryptUnprotectData as shown in the example below.

One catch here is that you can't just decrypt the password even though you are administrator. To successfully decrypt the password, you have to perform the decryption operation under system context.

There are many ways to execute the code under SYSTEM context, one of the popular way is to inject the code via remote thread [Reference 2] in system process - LSASS.EXE. But this one is more risky, as any flaw in code can bring down the entire system. Much safer way is to create Windows service as System account and then execute the above decryption code from that service.